b"Department of Health and Human Services\n             OFFICE OF\n        INSPECTOR GENERAL\n\n\n\n\n     DISCLOSURE AND\n ACCOUNTING OF PROTECTED\n RECORDS BY CMS BETWEEN\n      2006 AND 2011\n\n\n\n\n                    Daniel R. Levinson\n                     Inspector General\n\n                      January 2014\n                     OEI-09-11-00430\n\x0cEXECUTIVE SUMMARY: Disclosure and Accounting of Protected Records by\nCMS Between 2006 and 2011\nOEI-09-11-00430\n\nWHY WE DID THIS STUDY\n\nThe Centers for Medicare & Medicaid Services (CMS) maintains millions of records\ncontaining financial and health-related information. Inappropriate disclosures of records or\ndata maintained in a system of records (SOR) can result in loss of privacy and fraudulent\nactivities. The Privacy Act of 1974 (Privacy Act) governs Federal agencies\xe2\x80\x99 collection, use,\nand dissemination of individuals\xe2\x80\x99 records maintained in an SOR. CMS maintains SORs, and\nits disclosures of records must be consistent with the Privacy Act. Further, the Privacy Act\nrequires CMS to implement safeguards that protect records maintained in an SOR and to\naccount for any disclosures. Among other things, CMS uses a data use agreement (DUA) to\nensure its disclosures are in compliance with the Privacy Act. A DUA is the legally binding\nagreement that contains the written terms and conditions that govern each disclosure. Entities\nare required to submit a DUA and DUA-related documents to CMS prior to the disclosures.\n\nHOW WE DID THIS STUDY\n\nWe reviewed data requests approved or renewed by CMS between September 2006 and\nAugust 2011. We limited our review to approved data requests from health-related SORs. We\nused the DUA tracking number generated by the Data Agreement and Data Shipping Tracking\nSystem (DADSS) to identify our population of approved requests. We selected a simple\nrandom sample of 150 approved requests using the DUA tracking number. We interviewed\nCMS staff and reviewed SOR notices, CMS policies, and documents in the user agreement\nfiles, i.e., the DUA and/or DUA-related documents. We project our findings to our population.\n\nWHAT WE FOUND\n\nFor at least 98 percent of all approved data requests in our sample, CMS\xe2\x80\x99s disclosures of\nrecords were consistent with the routine uses identified in the SOR notices. Five percent of all\ndata files disclosed by CMS were not requested in the DUAs or updated DUAs. CMS did not\nhave the DUAs on file for 33 percent of all user agreement files. The absence of a DUA may\nlimit CMS\xe2\x80\x99s ability to verify what data were requested. For 29 percent of the user agreement\nfiles, CMS extended entities\xe2\x80\x99 use of data without documentation of requests for extensions.\nFifteen percent of DUAs were both expired and not closed properly by the entities.\n\nWHAT WE RECOMMEND\n\nWe recommend that CMS (1) develop a process to ensure that the data requested are the ones\ndisclosed to the entity; (2) ensure that the DUA and DUA-related documents are in a user\nagreement file; (3) ensure that entities submit the required documents to properly close their\nDUAs; (4) use a standardized, documented process for requesting and approving DUA\nextensions; and (5) ensure that expiration dates are consistent between the DUA and DADSS.\nCMS concurred with all five recommendations. In its agency response, CMS stated that it was\nreplacing DADSS with the Enterprise Privacy Policy Engine, an electronic information system\ndesigned to provide a 100-percent-traceable record of CMS\xe2\x80\x99s data disclosures.\n\x0cTABLE OF CONTENTS\n\nObjectives ....................................................................................................1 \n\nBackground ..................................................................................................1 \n\nMethodology ................................................................................................8 \n\nFindings......................................................................................................12 \n\n           For at least 98 percent of all approved data requests, CMS\xe2\x80\x99s \n\n           data disclosures were consistent with the routine uses ..................12 \n\n           CMS disclosed data files not requested in the DUAs or updated                                          \n\n           DUAs .............................................................................................12 \n\n           One-third of all user agreement files did not include the DUAs ...13 \n\n           CMS granted DUA extensions without documentation of \n\n           requests from the entities ...............................................................14 \n\n           Fifteen percent of all DUAs were expired and not closed \n\n           properly ..........................................................................................14 \n\nConclusion and Recommendations ............................................................15 \n\n           Agency Comments and Office of Inspector General Response.....18 \n\nAppendixes ................................................................................................19 \n\n           A: Point Estimates and Confidence Intervals ...............................19 \n\n           B: Agency Comments ...................................................................21 \n\nAcknowledgments......................................................................................23 \n\n\x0c                  OBJECTIVES\n                  1.\t To determine whether the Centers for Medicare & Medicaid Services\xe2\x80\x99\n                      (CMS) disclosure of individuals\xe2\x80\x99 records is consistent with systems of\n                      records (SOR) notices required by the Privacy Act.\n                  2.\t To assess CMS\xe2\x80\x99s accounting of individuals\xe2\x80\x99 records disclosed to\n                      entities between 2006 and 2011.\n\n                  BACKGROUND\n                  CMS maintains millions of records containing financial and health-related\n                  information. Consistent with Federal laws, CMS may disclose the records\n                  to entities for certain uses without an individual\xe2\x80\x99s prior consent. A record\n                  is any item, collection, or grouping of information about an individual\n                  maintained by an agency.1 This information includes, but is not limited to,\n                  financial transactions and medical history that contains a name or other\n                  unique identifiers.2 Appropriate safeguards are needed to ensure that the\n                  records are disclosed appropriately and that CMS accurately accounts for\n                  those disclosures. Inappropriate disclosures can result in loss of privacy\n                  and fraudulent activities, such as medical identity theft and inappropriate\n                  billing.\n                  The Privacy Act of 1974\n                  The Privacy Act of 1974 (Privacy Act) governs the collection, use, and\n                  dissemination of individuals\xe2\x80\x99 records maintained in any SOR by Federal\n                  agencies, such as those within the Department of Health and Human\n                  Services (HHS).3 An SOR is a group of records under the control of an\n                  agency from which information is retrieved using an individual\xe2\x80\x99s name or\n                  other unique identifier.4 The Privacy Act prohibits Federal agencies from\n                  disclosing a record from an SOR without the individual\xe2\x80\x99s written request\n                  or prior consent.5 However, a record may be disclosed without a written\n                  request or prior consent for, among other things, the following:\n                       \xef\x82\xb7\t to agency officers and employees who have a need for the record\n                          in the performance of their duties,\n\n\n                  1\n                    5 U.S.C. \xc2\xa7 552a(a)(4), 45 CFR \xc2\xa7 5b.1(h).\n                  2\n                    Ibid. Other unique identifying information can include personally identifiable \n\n                  information, such as a number, symbol, or other identifiers assigned to an individual.\n\n                  3\n                    5 U.S.C. \xc2\xa7 552a.\n\n                  4\n                    5 U.S.C. \xc2\xa7 552a(a)(5). HHS\xe2\x80\x99s regulation implementing the Privacy Act excludes, \n\n                  among other things, records not retrieved by personal identifiers and papers maintained \n\n                  and discarded at the discretion of individual HHS employees. 45 CFR \xc2\xa7 5b.1(n).\n\n                  5\n                    5 U.S.C. \xc2\xa7 552a(b).\n\n\n\nDisclosure and Accounting of Protected Records by CMS Between 2006 and 2011 (OEI-09-11-00430)             1\n\x0c                       \xef\x82\xb7\t for a routine use that is compatible with the purpose for which the\n                          data were collected,\n                       \xef\x82\xb7\t for statistical or research purposes,6 and\n                       \xef\x82\xb7\t to another agency or government entity for civil or criminal law\n                          enforcement activity pursuant to a written request.7\n                  CMS SORs\n                  CMS maintains SORs in accordance with the Privacy Act. CMS\xe2\x80\x99s SORs\n                  contain the records of millions of individuals, such as providers and\n                  beneficiaries enrolled in Medicare, Medicaid, and the Children\xe2\x80\x99s Health\n                  Insurance Program. Examples of SORs maintained by CMS include the\n                  National Claims History (NCH) file;8 Enrollment Database (EDB);9\n                  Medicare Provider Analysis and Review (MEDPAR) file;10 and the\n                  Provider Enrollment, Chain, and Ownership System (PECOS) database.11\n                  The Privacy Act requires that CMS provide public notice in the Federal\n                  Register about the existence of each SOR.12 Each SOR notice is to\n                  include, among other things, a description of the individuals for whom the\n                  records are collected and maintained and policies and practices regarding\n                  storage, retrieval, retention, and disposal of the records and controls for\n                  accessing them. Additionally, the SOR notice defines the appropriate\n                  routine use and disclosure of the records, which includes the purposes for\n                  which CMS collects and maintains records and the types of entities and\n                  purposes for which CMS may disclose a record without an individual\xe2\x80\x99s\n                  prior consent.13\n\n\n\n\n                  6\n                    This requires adequate written assurances that the records will be used solely for\n                  statistical or research purposes and that the records will be transferred in a form that is\n                  not personally identifiable.\n                  7\n                    5 U.S.C. \xc2\xa7 552a(b).\n                  8\n                    The NCH file maintains billing and utilization data on Medicare beneficiaries enrolled\n\n                  in Parts A and B. 71 Fed. Reg. 67137 (November 20, 2006).\n\n                  9\n                    EDB maintains information on Medicare enrollment and is used primarily to administer \n\n                  the Medicare program. 73 Fed. Reg. 10249 (February 26, 2008). \n\n                  10\n                     MEDPAR maintains Medicare beneficiary information on all services rendered during\n\n                  a stay at an inpatient hospital and/or a skilled nursing facility. 71 Fed. Reg. 17470\n\n                  (April 6, 2006). \n\n                  11\n                     PECOS maintains information on Medicare provider and supplier enrollment, payment, \n\n                  and business history that may include reported exclusions, sanctions, or felonious \n\n                  behavior. 71 Fed. Reg. 60536 (October 13, 2006). \n\n                  12\n                     5 U.S.C. \xc2\xa7 552a(e)(4).\n\n                  13\n                     5 U.S.C. \xc2\xa7 552a(b)(3). In general, disclosures of Privacy Act-protected records may\n\n                  not be made without an individual\xe2\x80\x99s prior consent. However, there are 12 exceptions, \n\n                  including 1 for routine uses identified in the SOR notice. 5 U.S.C. \xc2\xa7 552a(b).\n\n\n\nDisclosure and Accounting of Protected Records by CMS Between 2006 and 2011 (OEI-09-11-00430)            2\n\x0c                  CMS Disclosure of Records for Routine Use\n                  CMS\xe2\x80\x99s disclosure of records without prior consent must be consistent with\n                  circumstances specified in the Privacy Act (e.g., disclosures consistent\n                  with the routine uses identified in the SOR notices, disclosures for law\n                  enforcement activity, or disclosures for statistical or research purposes)\n                  and other applicable rules.14 CMS\xe2\x80\x99s published routine uses include, but\n                  are not limited to, maintaining, updating, and disseminating beneficiary15\n                  and provider16 information, such as that used for research purposes;\n                  supporting program-integrity-related activities of Medicare, Medicaid, or\n                  the Children\xe2\x80\x99s Health Insurance Program;17 and ensuring proper Medicare\n                  or Medicaid enrollment and payments.18\n                  CMS may disclose records to various types of entities for routine uses.\n                  Examples of such entities are government agencies, which include HHS\n                  employees19 and law enforcement; disproportionate share hospitals\n                  (DSH);20 and individual or private sector researchers.21 CMS policy\n                  requires that entities complete and submit documentation to CMS prior to\n                  disclosing any records. Examples of such documentation include an\n                  applicable data use agreement (DUA) and DUA-related documents.22\n                  DUA. In most cases, CMS requires that entities requesting records from\n                  an SOR (data) submit a DUA and other required documentation.23 A\n                  DUA is the legally binding agreement24 that CMS uses to ensure its\n                  disclosures are in compliance with the Privacy Act requirements. The\n\n\n                  14\n                     Other applicable rules may include the HHS Privacy Act regulations, 45 CFR pt. 5b; \n\n                  the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule, \n\n                  45 CFR pt. 164, subparts A and E; and Office of Management and Budget rules \n\n                  governing the safeguarding of personally identifiable information.\n\n                  15\n                     73 Fed. Reg. 2257 (January 14, 2008). \n\n                  16\n                     63 Fed. Reg. 40297 (July 28, 1998). \n\n                  17\n                     71 Fed. Reg. 77759 (December 27, 2006). \n\n                  18\n                     73 Fed. Reg. 10249 (February 26, 2008); 73 Fed. Reg. 11638 (March 4, 2008). \n\n                  19\n                     HHS employees include those officers and employees who have a need for the record \n\n                  in performing their duties. 5 U.S.C. \xc2\xa7 552a(b)(1).\n\n                  20\n                     A DSH is a hospital with a disproportionately large share of low-income patients. \n\n                  CMS, Medicare Disproportionate Share Hospital, ICN 006741. January 2013. A DSH \n\n                  may request its cost-reporting data to calculate its Medicare DSH reimbursement amount.\n\n                  21\n                     5 U.S.C. \xc2\xa7 552a(b).\n\n                  22\n                     CMS, Policy for Privacy Act Implementation and Breach Notification, Document \n\n                  Number CMS-CIO-POL-PRIV01-01, p. 6. July 23, 2007. \n\n                  23\n                     CMS, op. cit., p. 6. CMS requires contractors and external entities to enter into a DUA \n\n                  for the purpose of tracking disclosures. CMS does not require operational contractors, \n\n                  such as Medicare Administrative contractors, or third parties that have contracts with\n\n                  operational contractors to enter into a DUA because their contracts include language \n\n                  covering compliance with other Federal privacy requirements. Operational contractors \n\n                  are those that perform the work of CMS by paying claims or processing enrollments. \n\n                  24\n                     Ibid., p. 21.\n\n\n\nDisclosure and Accounting of Protected Records by CMS Between 2006 and 2011 (OEI-09-11-00430)              3\n\x0c                  DUA contains the written terms and conditions that govern each\n                  disclosure.25 CMS requires that the entity sign the DUA when requesting\n                  data. Among other things, the DUA specifies the name of the person who\n                  is requesting and responsible for the data; the data requested; the purpose\n                  for which the data will be used; and the length of time the data will be\n                  retained, known as the retention date.26 The DUA is the only document by\n                  which CMS can verify what data an entity requested. The DUA is\n                  necessary to ensure compliance with the accounting requirements under\n                  the Privacy Act and the additional safeguards in CMS\xe2\x80\x99s policy. Each DUA\n                  may include a data request from more than one SOR. For example, an\n                  entity may request data from the NCH and the EDB SORs in a single\n                  DUA.\n                  CMS has different DUAs for entities requesting data. The type of entity\n                  and the type of data\xe2\x80\x94data with specific direct identifiers or limited data\xe2\x80\x94\n                  determine which DUA an entity submits to CMS. Data with specific\n                  direct identifiers contain beneficiary-specific or physician-specific\n                  information. Limited data do not contain specific direct identifiers. All\n                  these different DUAs specify what information CMS requires before\n                  disclosing any data. These DUAs are:\n                  \xef\x82\xb7\t A standard DUA, which is the default DUA that entities use to request\n                     data with specific direct identifiers, such as data from the NCH or\n                     EDB SORs.\n                  \xef\x82\xb7\t A DSH DUA, which is used only by a DSH that is specifically\n                     requesting its cost-reporting data.\n                  \xef\x82\xb7\t A DUA for a limited data set, which is used by entities requesting data\n                     that exclude specific direct identifiers, such as certain data from the\n                     MEDPAR SOR.\n                  \xef\x82\xb7\t A customized DUA, which may be used by a specific type of\n                     government agency or government agency contractor, such as an\n                     oversight or law enforcement agency.27\n                  DUA-related documents. CMS often requires that entities requesting data\n                  also submit other applicable DUA-related documents. These documents\n                  could include, among other things, an updated DUA, a DUA addendum, a\n\n\n                  25\n                     CMS, Data Use Agreement: Agreement for Use of Centers for Medicare & Medicaid\n                  Services Data Containing Individual Identifiers, Form CMS-R-0235. Accessed at\n                  http://www.cms.gov/cmsforms/downloads/cms-r-0235.pdf. on Aug. 8, 2011.\n                  26\n                     CMS, Policy for Privacy Act Implementation and Breach Notification, Document\n                  Number CMS-CIO-POL-PRIV01-01, p. 6. July 23, 2007; Ibid.\n\n                  27\n                     Examples of oversight or law enforcement agencies are HHS OIG and the Department \n\n                  of Justice (DOJ). \n\n\n\nDisclosure and Accounting of Protected Records by CMS Between 2006 and 2011 (OEI-09-11-00430)        4\n\x0c                  research study protocol,28 and institutional review board (IRB)\n                  documentation.29 An updated DUA is used by an entity with an existing\n                  DUA to request additional data. A DUA addendum is used if anyone other\n                  than the requestor or custodian of the record will handle the requested\n                  CMS data or if the original requestor and/or custodian are to be replaced\n                  on the DUA.\n                  CMS\xe2\x80\x99s Data Request Review and Approval Process\n                  CMS uses a data request review and approval process to ensure that data\n                  are disclosed appropriately. The data request review and approval process\n                  is initiated when an entity submits a DUA and DUA-related documents to\n                  CMS. If CMS approves the data request, it signs the DUA acknowledging\n                  the appropriateness of the entity\xe2\x80\x99s data request. According to CMS\n                  policies and procedures, the data request review and approval process\n                  varies by the type of data requested by an entity and the type of entity\n                  requesting the data. If CMS approves the data request, it also signs the\n                  DUA.\n                  Researchers. CMS requires researchers to submit their DUA and other\n                  required DUA-related documents to the Research Data Assistance Center\n                  (contractor).30 The contractor ensures that researchers submit all the\n                  required documents prior to the disclosure of data. These required\n                  documents include, but are not limited to, the DUA; IRB approval, when\n                  necessary; proof of research funding; grant award letters; and research\n                  study protocols. Depending on the kind of data they are requesting from\n                  CMS, researchers may submit a standard DUA or a DUA for limited data\n                  sets. The contractor reviews the documents for appropriateness and\n                  completeness and forwards all the documents to CMS for review and\n                  approval.\n                  DSHs. DSHs requesting their cost-reporting data submit only DSH DUAs\n                  when requesting data. DSHs request cost-reporting data maintained in\n                  MEDPAR to calculate their Medicare DSH reimbursement amounts.\n                  DSHs specify in the DSH DUAs the years for which they are requesting\n                  MEDPAR data. CMS reviews the request and decides whether to approve\n                  the DUA.\n                  Government agencies. CMS requires that government agencies and\n                  government agency contractors submit only their DUAs when requesting\n\n                  28\n                     A research study protocol outlines how a study will be conducted.\n\n                  29\n                     IRB documentation includes documentation that an IRB or a privacy board has \n\n                  approved a waiver of participant\xe2\x80\x99s authorization of use or disclosure of information.\n\n                  Research Data Assistance Center, IRB Evidence of Approval. Accessed at \n\n                  http://www.resdac.org/cms-data/request/materials/irb-evidence-approval on \n\n                  September 18, 2012.\n\n                  30\n                     CMS contracts with the Research Data Assistance Center to review DUAs from\n\n                  researchers. \n\n\n\nDisclosure and Accounting of Protected Records by CMS Between 2006 and 2011 (OEI-09-11-00430)              5\n\x0c                  data. Examples of such entities are HHS, CMS, CMS contractors, DOJ,\n                  HHS OIG, the Social Security Administration, and State Medicaid\n                  agencies. Government agencies and government agency contractors\n                  requesting data from CMS, such as data from NCH and PECOS, may use\n                  a standard DUA or a DUA for a limited data set. In some case, a specific\n                  type of government entity or government agency contractor\xe2\x80\x94such as an\n                  oversight or law enforcement agency, which has independent authority to\n                  obtain the requested data\xe2\x80\x94may use a customized DUA. The customized\n                  DUA must indicate what information is being requested and for what\n                  purpose the data are being requested. CMS policy does not exempt\n                  oversight or law enforcement agencies from using a DUA.\n                  CMS Accounting of Disclosed Records\n                  The Privacy Act requires a Federal agency, such as CMS, to implement\n                  safeguards that protect records maintained in an SOR and to account for\n                  any disclosures.31 CMS is required to keep an accurate accounting of the\n                  date, nature, and purpose of each disclosure.32 The accounting should also\n                  include the name and address of the entity that received the data.33 CMS\n                  must retain its accounting of the disclosure for at least 5 years after the\n                  disclosure or for the life of the data, whichever is longer.34\n                  CMS promulgated its Policy for Privacy Act Implementation and Breach\n                  Notification to implement the requirements of the Privacy Act.35 CMS\n                  policy states that disclosures \xe2\x80\x9cshall be limited to that which is necessary to\n                  accomplish the intended purpose of an Agency activity\xe2\x80\x9d and that \xe2\x80\x9cCMS\n                  shall limit the disclosures of personally identifiable information to no\n                  greater amount of information than is reasonably necessary to achieve the\n                  specific purpose of the disclosure.\xe2\x80\x9d36 In addition, CMS policy states, \xe2\x80\x9cA\n\n\n\n\n                  31\n                     5 U.S.C. \xc2\xa7 552a(c).\n\n                  32\n                     5 U.S.C. \xc2\xa7 552a(c)(1)(A).\n\n                  33\n                     5 U.S.C. \xc2\xa7 552a(c)(1)(B).\n\n                  34\n                     5 U.S.C. \xc2\xa7 552a(c)(2); Pursuant to CMS\xe2\x80\x99s Records Schedule, Section I:\n\n                  Administrative/Management Records, S: Data Use Agreements, 1b: Master Data Files. \n\n                  November 2012. Accessed at http://www.cms.gov/Regulations-and-\n                  Guidance/Guidance/CMSRecordsSchedule/downloads/RecordsSchedule.pdf on\n\n                  April 24, 2013. CMS notes that under General Records Schedules (GRS) 24.6(a) of the \n\n                  National Archives and Records Administration (NARA), accounting of disclosures \n\n                  should be retained for 6 years after the DUA is terminated or no longer needed for \n\n                  investigative or security purposes, whichever is later. NARA GRS, GRS 24.6(a). \n\n                  April 2010. Accessed at http://www.archives.gov/records-mgmt/grs/grs24.html on \n\n                  May 7, 2013. \n\n                  35\n                     CMS, Policy for Privacy Act Implementation and Breach Notification, Document \n\n                  Number CMS-CIO-POL-PRIV01-01, p. 1. July 23, 2007. \n\n                  36\n                     Ibid., p. 3.\n\n\n\nDisclosure and Accounting of Protected Records by CMS Between 2006 and 2011 (OEI-09-11-00430)         6\n\x0c                  record of disclosures shall be maintained for all required Privacy Act\n                  disclosure.\xe2\x80\x9d37\n                  Data Agreement and Data Shipping Tracking System (DADSS). CMS uses\n                  DADSS as an automated database to track and account for approved data\n                  requests, DUAs, and disclosures under the Privacy Act and its policies.\n                  DADSS generates a DUA tracking number for each approved data request,\n                  which CMS uses to track the data disclosed to an entity. DADSS contains\n                  some, but not all, of the same information as the DUA, updated DUA, and\n                  DUA addenda.\n                  For approved data requests, CMS enters information from the DUA, the\n                  updated DUA, and the DUA addendum into DADSS. CMS also enters\n                  additional information in DADSS, such as the type of entity requesting the\n                  data; routine use for which the data is being disclosed; DUA extension\n                  date and number of extensions, if applicable; and data disclosed to the\n                  entity. CMS, however, does not keep electronic copies of the DUA,\n                  updated DUA, or DUA addendum in DADSS. Hard copies of the DUA\n                  and DUA-related documents are kept in a user agreement file.\n                  CMS uses DADSS to send automated emails reminding entities about\n                  upcoming DUA expiration dates. The emails are sent 90, 60, and 30 days\n                  prior to the expiration date.\n                  DUA closure or extension. CMS policy requires that entities properly\n                  close their DUAs or request to extend them on or before the expiration\n                  dates specified in the DUAs.38 Entities may close their DUAs prior to the\n                  expiration dates when they no longer need the data. During the period of\n                  our review (July through November 2011), CMS required that to properly\n                  close a DUA, entities return the data39 or complete a certificate of data\n                  destruction form (referred to as data destruction form).40 By completing\n                  and submitting the data destruction form, entities certified that they\n                  destroyed all data, and any copy of the data, listed in the DUA.\n                  CMS required that to request extensions entities submit written requests\xe2\x80\x94\n                  typically via email\xe2\x80\x94explaining why extensions were needed.41 CMS\n\n\n\n                  37\n                     Ibid., p. 4.\n\n                  38\n                     Ibid., p. 6.\n\n                  39\n                     Returned data are to be accompanied with a cover letter indicating the study or project \n\n                  name and the name of the data being returned. \n\n                  40\n                     CMS, Form CMS-R-0235, p. 3; see also Certificate of Data Destruction for Data\n                  Acquired from CMS, Form CMS-10252.\n                  41\n                     CMS, DUA \xe2\x80\x93 Extensions and Closures. Accessed at\n                  http://www.cms.gov/PrivProtectedData/27_DUA-Extensions_Closures.asp on\n                  June 22, 2011.\n\n\nDisclosure and Accounting of Protected Records by CMS Between 2006 and 2011 (OEI-09-11-00430)               7\n\x0c                  indicated that it would not approve new data requests from entities with\n                  expired DUAs.\n                  Related Work\n                  This evaluation is part of a body of Office of Inspector General (OIG)\n                  work on privacy and the protection of personally identifiable information.\n                  OIG has conducted work related to medical identity theft42 and the HIPAA\n                  Security Rule.43 In addition, OIG is concurrently conducting work on the\n                  HIPAA Privacy Rule44 and the Health Information Technology for\n                  Economic and Clinical Health Act (HITECH) Breach Notification Rule.45\n                  In 2012, the Government Accountability Office (GAO) provided\n                  Congressional testimony on the Federal Government\xe2\x80\x99s use and collection\n                  of personally identifiable information.46 GAO recommended that\n                  Congress consider amending applicable privacy laws to address\n                  vulnerabilities arising from increased dependence on information\n                  technology. Such vulnerabilities can result in compromising sensitive\n                  personal information.\n\n                  METHODOLOGY\n                  Scope\n                  We reviewed data requests approved or renewed by CMS between\n                  September 2006 and August 2011. We selected this 5-year timeframe to\n                  account for DUAs that were active for more than 1 year. We reviewed\n                  only approved data requests entered in DADSS.\n                  We limited our review to approved data requests from health-related\n                  SORs. Examples of health-related SORs include those that maintain\n                  beneficiary or provider claims information. We did not include approved\n                  data requests from non-health-related SORs, such as those that maintain\n                  information on employee access to CMS facilities and individuals\n                  ordering provider educational materials.\n\n\n\n                  42\n                     OIG, Breaches and Medical Identity Theft Involving Medicare Identification Numbers, \n\n                  OEI-02-10-00040, October 2012. \n\n                  43\n                     OIG, Nationwide Rollup Review of the Centers for Medicare & Medicaid Services \n\n                  Health Insurance Portability and Accountability Act of 1996 Oversight, A-04-08-05069, \n\n                  May 2011. \n\n                  44\n                     OIG, Office for Civil Rights (OCR) Oversight of the HIPAA Privacy Rule, \n\n                  OEI-09-10-00510. \n\n                  45\n                     OIG, OCR Oversight of Covered Entities\xe2\x80\x99 Compliance with the HITECH Breach\n\n                  Notification Rule, OEI-09-10-00511. \n\n                  46\n                     GAO, Federal Law Should Be Updated to Address Changing Technology Landscape, \n\n                  GAO-12-96IT. Accessed at http://www.gao.gov/assets/600/593146.pdf on \n\n                  October 9, 2012. \n\n\n\nDisclosure and Accounting of Protected Records by CMS Between 2006 and 2011 (OEI-09-11-00430)          8\n\x0c                  Sample Selection\n                  We used the DUA tracking number generated by DADSS to identify our\n                  population of approved data requests. Our population consisted of\n                  5,108 approved data requests. We selected a simple random sample of\n                  150 approved data requests from this population using the DUA tracking\n                  number. Our sample contains 396 data file requests. These data files\n                  come from 19 SORs. We project our findings to our population of\n                  approved data requests. See Appendix A for a table listing the confidence\n                  intervals.\n                  Data Collection and Analysis\n                  We used the following data sources for our evaluation: (1) CMS policies\n                  and procedures, (2) CMS staff interviews, (3) SOR notices, and (4) user\n                  agreement files, i.e., DUA and/or DUA-related documents.\n                  CMS policies and procedures. We reviewed CMS\xe2\x80\x99s policies and\n                  procedures to understand CMS\xe2\x80\x99s process for approving data requests,\n                  DUA extensions, and DUA closures. We also reviewed CMS\xe2\x80\x99s policies\n                  and procedures for the disclosure and accounting of data.\n                  CMS staff interview. We conducted a structured interview with CMS staff\n                  responsible for approving data requests and the disclosure and accounting\n                  of data. We asked CMS staff how they approved data requests, granted\n                  DUA extensions, closed DUAs, and accounted for the disclosures.\n                  SOR notices. We reviewed each of the SOR notices associated with our\n                  sample to identify the routine uses allowed for the disclosure of the data.\n                  User agreement files. We requested paper or scanned versions of the\n                  DUAs and any DUA-related documents associated with each approved\n                  data request in the sample. For the purposes of this report, we refer to\n                  each set of DUA and/or its corresponding DUA-related documents as a\n                  user agreement file. The number of user agreement files corresponds with\n                  the number of approved data requests in our sample. A DUA and/or its\n                  DUA-related documents, such as the updated DUA, DUA addenda,\n                  DADSS documentation, requests for extensions, and data destruction\n                  forms, constitute a user agreement file.\n                  User Agreement Files Analysis\n                  We analyzed the user agreement files on three levels\xe2\x80\x94the user agreement\n                  file level, DUA level, and data file level.\n                  User agreement file level. We reviewed the documents in the user\n                  agreement files to determine the purpose for which the data were\n                  requested. We reviewed the routine use category on the DADSS\n                  documentation to identify the purpose of the data request. We calculated\n                  the percentage of approved data requests that were requested under CMS\xe2\x80\x99s\n\n\nDisclosure and Accounting of Protected Records by CMS Between 2006 and 2011 (OEI-09-11-00430)   9\n\x0c                  routine use categories. Also, we reviewed DADSS documentation in the\n                  user agreement files to determine what types of data CMS disclosed to\n                  entities. We identified and calculated the percentages of the types of data\n                  requested using the SORs listed in the DADSS documentation.\n                  We reviewed the documents in the user agreement files to determine\n                  whether the approved data requests, as documented in DADSS, had a\n                  DUA on file. We calculated the percentage of user agreement files that did\n                  not include the DUA. Of these user agreement files that were missing a\n                  DUA, we calculated the percentage that had DADSS and DUA-related\n                  documents and the percentage that had only DADSS documentation. We\n                  also calculated the percentage of user agreement files that did not have a\n                  DUA, DADSS documentation, and any other DUA-related documents.\n                  We reviewed the user agreement file to identify documentation of requests\n                  for extensions from an entity. We calculated the percentage of user\n                  agreement files that did not include any documentation of the entity\n                  requesting to extend their DUA.\n                  DUA level. We reviewed the expiration dates of the DUAs associated with\n                  our sample of approved data requests. We identified the expiration dates\n                  for each DUA and noted inconsistencies, if any, between the expiration\n                  date listed on the DUA and that in the DADSS documentation. We\n                  calculated the percentage of DUAs that were expired and not closed\n                  properly as of November 17, 2011. This is the date for which we collected\n                  the user agreement files from CMS. In addition, we calculated how long\n                  the DUAs have been expired.\n                  We identified DUAs that had inconsistent expiration dates between the\n                  DUA and DADSS documentation. We calculated the percentage of DUAs\n                  for which the DUA and the DADSS documentation had inconsistent\n                  expiration dates.\n                  Data file level. To determine whether CMS disclosed the appropriate data\n                  file requested by the entities, we compared the data file on the DUAs or\n                  updated DUAs with the data file listed on the DADSS documentation. We\n                  used the DUAs and updated DUAs to identify the data file requested by\n                  the entity. We used the DADSS documentation to identify the data file\n                  disclosed to the entity. We calculated the percentage of data files that did\n                  not match the data file requests on the DUAs or updated DUAs.\n                  Limitations\n                  Our analysis was limited to the information provided by CMS and the\n                  information on the DUAs, DUA-related documents, and DADSS. We did\n                  not contact the entities that were in our sample of approved data requests\n                  to verify what data were disclosed to them. Further, we did not contact the\n\n\n\nDisclosure and Accounting of Protected Records by CMS Between 2006 and 2011 (OEI-09-11-00430)   10\n\x0c                  entities to determine whether each needed to submit a data destruction\n                  form prior to its DUA\xe2\x80\x99s expiration date because it no longer needed the\n                  data. We did not determine whether the data disclosures violated the\n                  Privacy Act.\n                  Standards\n                  This study was conducted in accordance with the Quality Standards for\n                  Inspection and Evaluation issued by the Council of the Inspectors General\n                  on Integrity and Efficiency.\n\n\n\n\nDisclosure and Accounting of Protected Records by CMS Between 2006 and 2011 (OEI-09-11-00430)   11\n\x0c                  FINDINGS\n                  For at least 98 percent of all approved data requests,\n                  CMS\xe2\x80\x99s data disclosures were consistent with the\n                  routine uses\n                  For 98 percent of all approved data requests in our sample, DADSS\n                  documentation indicated that CMS\xe2\x80\x99s data disclosures were consistent with\n                  the routine uses identified in the SOR notices. Of the 98 percent,\n                  46 percent were for the routine use of Medicare cost-reporting data\n                  requested by hospitals that may be entitled to DSH payments.47\n                  Additionally, 33 percent of approved data requests were for research\n                  purposes, 18 percent were for routine use by Federal agencies, and\n                  4 percent were for routine use by State agencies.48\n                  For the remaining 2 percent of all approved data requests in our sample, it\n                  is unknown whether the disclosures were consistent with the routine uses.\n                  None of these approved data requests had the DUAs on file. In two\n                  instances, DADSS documentation was also not available. Without the\n                  DUA and DADSS documentation, it would be difficult for CMS to\n                  identify what the purpose of the request was or what data were requested\n                  or disclosed. In another instance, the data disclosure was listed as \xe2\x80\x9cOther\n                  data (specify)\xe2\x80\x9d in the DADSS documentation. However, there was no\n                  indication of the specific data released to the entity. Thus, CMS would\n                  not know what data were disclosed.\n\n                  CMS disclosed data files not requested in the DUAs or\n                  updated DUAs\n                  Five percent of all data files disclosed by CMS were not requested in the\n                  DUAs or updated DUAs associated with our sample of approved data\n                  requests.49 The data were disclosed to Federal agencies and researchers.\n                  Some of the disclosed data were outside the date ranges indicated on the\n                  DUAs or updated DUAs. In other instances, an entity requested a specific\n                  NCH file in the DUA but DADSS documentation indicated that a different\n                  NCH file was disclosed. Most of the data disclosed were from the NCH\n                  and EDB SORs. The remaining data came from various SORs that\n                  included Medicare provider, beneficiary, drug, and payment data.\n\n\n\n                  47\n                     This percentage combines all routine use categories used by CMS for DSHs and CMS \n\n                  components requesting Medicare cost-reporting data on behalf of DSHs.\n\n                  48\n                     Because of rounding, these percentages do not add up to 100 percent. \n\n                  49\n                     The DUA or updated DUA may include a request for a data file from more than one \n\n                  SOR.\n\n\n\nDisclosure and Accounting of Protected Records by CMS Between 2006 and 2011 (OEI-09-11-00430)        12\n\x0c                  One-third of all user agreement files did not include\n                  the DUAs\n                  CMS policy requires a DUA for data disclosures; however, CMS did not\n                  have the DUAs on file for 33 percent of all user agreement files associated\n                  with our sample of approved data requests.50 Among the 33 percent, 18\n                  percent had DADSS documentation and other DUA-related documents.\n                  Seventy-eight percent of user agreement files that did not have the DUAs\n                  had only DADSS documentation. No other documents, such as the\n                  updated DUA, DUA addenda, and other DUA-related documents, were\n                  included in those user agreement files. For the remaining 4 percent, CMS\n                  had approved the requests and assigned DUA tracking numbers but could\n                  not account for the DUAs, DUA-related documents, or DADSS\n                  documentation in the user agreement files. According to CMS staff, the\n                  DUAs or DUA-related documents may have been misfiled or misplaced.\n                  See Table 1 for the percentage of user agreement files without the DUAs,\n                  DUA-related documents, or DADSS documentation.\n                  Table 1: User Agreement Files Without the DUAs\n\n                                                                                                 Percentage of\n                       User agreement file documents                                            user agreement\n                                                                                                          files\n                       No DUA but DADSS documentation and DUA-related documents were in\n                                                                                                          18%\n                       the user agreement file\n                       No DUA and only DADSS documentation were in the user agreement file                78%\n                       No DUA, no DUA-related documents, and no DADSS documentation\n                                                       51                                                   4%\n                       were in the user agreement file\n                   Source: OIG analysis of user agreement files, 2012.\n\n\n\n\n                  Although, CMS can use DADSS to identify whom the data were disclosed\n                  to, what type of data was disclosed, and for what purpose CMS disclosed\n                  the data, DADSS would not have the signed DUA, which includes the\n                  agreed upon terms and conditions that govern the disclosure. In addition,\n                  the absence of a DUA may limit CMS\xe2\x80\x99s ability to verify what data were\n                  requested, for what purpose the data were requested, how long the data\n                  may be retained, and who is responsible for and may use the data.\n                  Specifically, if CMS entered inaccurate or incomplete information from\n                  the DUA into DADSS, CMS would be limited to relying on the\n                  information available in DADSS or would need to follow up with the\n\n                  50\n                     DADSS generates a DUA tracking number for each approved data request, which CMS\n                  uses to track the data disclosed to an entity. \n\n                  51\n                     Although DUA tracking numbers for these approved data requests were entered in\n\n                  DADSS at the time of our sample selection, CMS did not provide OIG with any\n\n                  associated documentation from the user agreement files, such as DADSS documentation, \n\n                  for review.\n\n\n\nDisclosure and Accounting of Protected Records by CMS Between 2006 and 2011 (OEI-09-11-00430)                13\n\x0c                  entity to verify information that may have been included in the DUA or\n                  DUA-related documents.\n\n                  CMS granted DUA extensions without documentation\n                  of requests from the entities\n                  For 29 percent of the user agreement files associated with our sample of\n                  approved data requests, CMS lacked documentation of a request for a\n                  DUA extension. Although CMS did not have any documentation, it\n                  granted DUA extensions to entities. The entities for which CMS granted\n                  the extensions included researchers and government agencies. The\n                  amount of time for which the extensions were granted is unknown because\n                  no previous expiration dates were noted in the DADSS documentation or\n                  the DUAs were not on file. Additionally, some of these entities had\n                  already requested extensions prior to receiving additional extensions from\n                  CMS.\n\n                  Fifteen percent of all DUAs were expired and not\n                  closed properly\n                  Fifteen percent of all DUAs associated with our sample of approved data\n                  requests were both expired and not closed properly by the entities in\n                  accordance with CMS policy. None of these entities submitted data\n                  destruction forms. Further, there was no documentation in the user\n                  agreement file indicating that the entities returned the data. The data\n                  requested under these expired DUAs remain with the entities. Of these\n                  DUAs, 48 percent have been expired for almost a year and the remaining\n                  52 percent have been expired for a year or more. Three entities that had\n                  requested and received extensions still had expired DUAs.\n                  Additionally, 13 percent of all DUAs associated with our sample of\n                  approved data requests had DADSS documentation with expiration dates\n                  that were not consistent with those on the DUAs. The difference between\n                  the expiration dates on the DUAs and in the DADSS documentation\n                  ranged from 3 weeks to 3 years. In eight cases, the expiration dates in the\n                  DADSS documentation came before the expiration dates on the DUAs.\n\n\n\n\nDisclosure and Accounting of Protected Records by CMS Between 2006 and 2011 (OEI-09-11-00430)   14\n\x0c                  CONCLUSION AND RECOMMENDATIONS\n                  For at least 98 percent of all approved data requests in our sample, CMS\xe2\x80\x99s\n                  disclosures of records were consistent with the routine uses identified in\n                  the SOR notices. For the remaining 2 percent, it was unknown whether\n                  the disclosures were consistent with the routine uses. Five percent of all\n                  data files disclosed by CMS were not requested in the DUAs or updated\n                  DUAs. CMS policy requires a DUA for data disclosures; however, CMS\n                  did not have the DUAs on file in 33 percent of all the user agreement files.\n                  For 29 percent of user agreement files, CMS lacked documentation of a\n                  request for a DUA extension. Fifteen percent of all DUAs associated with\n                  our sample of approved data requests were both expired and not closed\n                  properly by the entities in accordance with CMS policy. Further, 13\n                  percent of DUAs associated with our sample of approved data requests\n                  had expiration dates inconsistent with those in DADSS.\n                  Overall, CMS\xe2\x80\x99s data disclosures are consistent with the routine uses\n                  identified in the SOR notices. However, CMS\xe2\x80\x99s system of tracking and\n                  accounting for disclosures needs improvement. The Privacy Act requires\n                  that CMS keep an accurate accounting of the disclosed data. Although\n                  CMS may have a record of the approved data request in DADSS, it would\n                  not have the signed DUA, which contains the agreed-upon terms and\n                  conditions that govern the disclosures. Also, the DUA is necessary to\n                  ensure compliance with the accounting requirements under the Privacy\n                  Act and the additional safeguards in CMS\xe2\x80\x99s policy. CMS is working\n                  towards upgrading DADSS with the Enterprise Privacy Policy Engine\n                  (EPPE) system, an electronic information system designed to provide a\n                  traceable record of CMS\xe2\x80\x99s disclosures. Without accurate accounting,\n                  vulnerabilities exist in CMS\xe2\x80\x99s tracking and accounting of data disclosures.\n                  We recommend that CMS:\n                  Develop a Process To Ensure That the Data Requested Are the\n                  Ones Disclosed to the Entity\n                  CMS should develop a process to ensure that the disclosed data are the\n                  ones requested by the entity. CMS could integrate an electronic form in\n                  DADSS to track and compare what data were requested and what data\n                  were disclosed to the entity. When additional data requests are made\n                  under the same DUA, CMS could add the request and disclosure on the\n                  electronic form to track and account for the data. Further, when using the\n                  \xe2\x80\x9cOther data (specify)\xe2\x80\x9d category, CMS could specify on the electronic form\n                  what data were requested and disclosed to the entity.\n\n\n\n\nDisclosure and Accounting of Protected Records by CMS Between 2006 and 2011 (OEI-09-11-00430)   15\n\x0c                  Ensure That the DUA and DUA-Related Documents Are in a\n                  User Agreement File\n                  CMS should ensure that all required DUA and DUA-related documents,\n                  such as the updated DUA, requests for extensions, and data destruction\n                  forms, are in a user agreement file.\n                  CMS could use DADSS or another system to electronically store or file\n                  the DUAs and DUA-related documents. Electronic storage could\n                  potentially prevent paper DUAs and DUA-related documents from being\n                  misplaced or misfiled. Currently, CMS is working on a paperless user\n                  agreement submission process to help with electronic filing.\n                  Ensure That Entities Submit the Required Documents To\n                  Properly Close Their DUAs\n                  CMS should ensure that entities submit the required documents to\n                  properly close their DUAs. In June 2012, CMS made changes to its DUA\n                  closure policy. CMS has replaced the data destruction form with a\n                  certificate of disposition form. Entities can use the certificate of\n                  disposition form to close DUAs by indicating that they are destroying all\n                  the data listed in the DUA or are reusing all or some of the data in other\n                  DUAs. Additionally, CMS should not rely solely on the automated\n                  expiration date email reminders. CMS should continue to follow up with\n                  entities that have expired DUAs.\n                  Use a Standardized, Documented Process for Requesting and\n                  Approving DUA Extensions\n                  During the period of our review, CMS relied on emails from entities to\n                  request extensions on their DUAs. However, email requests may be lost,\n                  deleted, or misfiled, leaving CMS without any proof that the entities\n                  requested extensions. Instead of an emailed request, CMS could require\n                  that entities request extensions using the certificate of disposition form.\n                  CMS could ensure that extension requests are approved only when the\n                  entities submit completed certificate of disposition forms. The forms\n                  could include information that entities provided in their emailed requests\n                  for extension. The use of one form to close or extend a DUA could\n                  streamline CMS\xe2\x80\x99s process for tracking the status of the approved data\n                  requests, DUAs, and disclosed data.\n                  Ensure Consistent Expiration Dates Between the DUA and\n                  DADSS\n                  CMS should ensure that the expiration date entered in the DUA is\n                  consistent with that in DADSS. If expiration dates are incorrect, CMS\n                  may fail to send email reminders about approaching expiration dates or\n                  may email entities the wrong dates.\n\n\n\n\nDisclosure and Accounting of Protected Records by CMS Between 2006 and 2011 (OEI-09-11-00430)   16\n\x0c                  Recent changes by CMS could address some of the problems we identified\n                  with the expiration dates. CMS has limited the timeframe for which\n                  entities may retain the data. DUAs are set to expire 1 year from the\n                  approval date. An entity must revalidate its DUA annually with CMS if\n                  the data are needed after the initial expiration date. CMS does not limit\n                  the number of times that an entity may request an extension.\n\n\n\n\nDisclosure and Accounting of Protected Records by CMS Between 2006 and 2011 (OEI-09-11-00430)   17\n\x0c                  AGENCY COMMENTS AND OFFICE OF INSPECTOR GENERAL\n                  RESPONSE\n                  CMS concurred with all five of our recommendations.\n                  CMS concurred with our first recommendation and stated that it is\n                  replacing and upgrading DADSS. CMS explained that the replacement\n                  system, the EPPE system, is designed to provide a 100-percent-traceable\n                  record of CMS\xe2\x80\x99s data disclosures. Although the EPPE system is designed\n                  to trace the records disclosed, CMS should ensure that the data requested\n                  are the ones that are disclosed to the entity.\n                  CMS concurred with our second recommendation and stated that the\n                  EPPE system will maintain an automated filing of all DUA-related\n                  documents.\n                  CMS concurred with our third recommendation and stated that the EPPE\n                  system will provide a central catalog of what data were disclosed and to\n                  whom they were disclosed. While the EPPE system is designed to\n                  maintain an accounting of all DUA-related actions and establish an\n                  automated workflow for approval of access to data, CMS should\n                  implement a process to ensure that entities submit the required documents\n                  to properly close their DUAs.\n                  CMS concurred with our fourth recommendation and stated that the EPPE\n                  system is being designed to standardize the process for an automated\n                  accounting of all DUA-related actions. CMS should ensure that the EPPE\n                  system will include a process for standardizing the request and approval of\n                  DUA extensions.\n                  CMS concurred with our fifth recommendation and stated that it will use\n                  the EPPE system to ensure consistent expiration dates between the DUA\n                  and DADSS. CMS explained that the EPPE system is being designed to\n                  provide consistency in the accounting of all DUA-related actions.\n                  See Appendix B for the full text of CMS\xe2\x80\x99s comments.\n\n\n\n\nDisclosure and Accounting of Protected Records by CMS Between 2006 and 2011 (OEI-09-11-00430)   18\n\x0c                  APPENDIX A\n                  Point Estimates and Confidence Intervals\n                  We calculated the point estimates and confidence intervals for data points\n                  from our sample of approved data requests. The sample sizes, point\n                  estimates, and 95-percent confidence intervals are provided for the\n                  following:\n                  Table A-1: Point Estimates and Confidence Intervals\n\n                                                                                                                     95-Percent\n                                                                                                       Point\n                    Estimate Description                                          Sample Size                        Confidence\n                                                                                                    Estimate\n                                                                                                                        Interval\n\n                    Percentage of approved data requests for which the\n                    Centers for Medicare & Medicaid Services\xe2\x80\x99 (CMS)         150 approved data\n                                                                                                      98.0%        94.3%\xe2\x80\x9399.6%\n                    disclosure of data was consistent with the routine               requests\n                    uses\n                    Percentage of approved data requests for which the      147 approved data\n                    routine use was providing the Medicare cost-reporting   requests that were\n                                                                                                      45.6%        37.4%\xe2\x80\x9353.7%\n                    data requested by hospitals that may be entitled to        consistent with\n                    DSH payments                                                  routine uses\n                                                                            147 approved data\n                    Percentage of approved data requests for which the      requests that were\n                                                                                                      32.7%        25.0%\xe2\x80\x9340.3%\n                    routine use was research                                   consistent with\n                                                                                  routine uses\n                                                                            147 approved data\n                    Percentage of approved data requests for which the      requests that were\n                                                                                                      17.7%        11.9%\xe2\x80\x9324.8%\n                    routine use was use by Federal agencies                    consistent with\n                                                                                  routine uses\n                                                                            147 approved data\n                    Percentage of approved data requests for which the      requests that were\n                                                                                                       4.1%           1.5%\xe2\x80\x938.7%\n                    routine use was use by State agencies                      consistent with\n                                                                                  routine uses\n                    Percentage of approved data requests for which it is\n                                                                            150 approved data\n                    unknown whether CMS\xe2\x80\x99s disclosure of data was                                       2.0%           0.4%\xe2\x80\x935.7%\n                                                                                     requests\n                    consistent with the routine uses\n                    Percentage of data files disclosed by CMS but not\n                                                                                  396 data files       5.1%           1.5%\xe2\x80\x938.6%\n                    requested in the DUA or updated DUA\n                    Percentage of user agreement files that did not                 150 user\n                                                                                                      33.3%        25.7%\xe2\x80\x9341.0%\n                    include a DUA                                              agreement files\n                    Of user agreement files that did not include a DUA,\n                    percentage of user agreement files that had Data        50 user agreement\n                    Agreement and Data Agreement and Data Shipping             files that did not     18.0%          8.6%\xe2\x80\x9331.4%\n                    Tracking System (DADSS) documentation and other               include a DUA\n                    DUA-related documents\n                    Of user agreement files that did not include a DUA,     50 user agreement\n                    percentage of user agreement files that had only           files that did not     78.0%        64.0%\xe2\x80\x9388.5%\n                    DADSS documentation                                           include a DUA\n                    Of user agreement files that did not include a DUA,     50 user agreement\n                    percentage of user agreement files that had neither        files that did not      4.0%          0.5%\xe2\x80\x9313.7%\n                    DADSS documentation nor DUA-related documents                 include a DUA\n                    Percentage of DUAs for which CMS extended the\n                    expiration dates without requests for extensions from            150 DUAs         28.7%        21.4%\xe2\x80\x9336.0%\n                    the entities\n                    Percentage of DUAs that were both expired and not\n                                                                                     150 DUAs         15.3%        10.0%\xe2\x80\x9322.1%\n                    closed properly\n                    Of the DUAs that were both expired and not closed       23 DUAs that were\n                    properly, percentage of DUAs that were expired for        both expired and        47.8%        25.7%\xe2\x80\x9369.9%\n                    almost a year                                           not closed properly\n                                                                                                       Continued on next page\n\n\n\n\nDisclosure and Accounting of Protected Records by CMS Between 2006 and 2011 (OEI-09-11-00430)                        19\n\x0c                  Table A-1: Point Estimates and Confidence Intervals\n                  (Continued)\n\n                                                                                                               95-Percent\n                                                                                                      Point\n                    Estimate Description                                            Sample Size                Confidence\n                                                                                                   Estimate\n                                                                                                                  Interval\n\n                                                                                   23 DUAs that\n                    Of the DUAs that were both expired and not\n                                                                                       were both\n                    closed properly, percentage of DUAs that were                                    52.2%    30.1%\xe2\x80\x9374.3%\n                                                                                 expired and not\n                    expired for a year or more\n                                                                                 closed properly\n                    Percentage of DUAs that had no expiration\n                                                                                       150 DUAs      10.7%    6.2%\xe2\x80\x9316.7%\n                    dates in the DUA or DADSS documentation\n                    Percentage of DUAs for which the DUA and\n                    DADSS documentation had inconsistent                               150 DUAs      12.7%    7.8%\xe2\x80\x9319.1%\n                    expiration dates\n                  Source: Office of Inspector General analysis of user agreement files, 2012.\n\n\n\n\nDisclosure and Accounting of Protected Records by CMS Between 2006 and 2011 (OEI-09-11-00430)                        20\n\x0c                              APPENDIX B\n                              Agency Comments\n\n\n\n    ~':ls\xc2\xa31lUCt;1,~\n\n\n\n\n  (~                    DEPARTMENT OF HEAL1H & HUMAN SERVICES                                    Centers for Medicare & Medicaid Services\n\n\n                                                                                                 Administrator\n                                                           JUN 1 8 2013                          Washington, DC 20201\n\n\n\n\n                      TO: \t          Daniel R. Levinson\n                                     Inspector General\n\n                      FROM: \t        Marilyn Ta~!mer\n                                                          /S/\n                                     Administrator\n\n                      SUBJECT: \t Office oflnspector General (OIG) Draft Report- CMS' Disclosure and\n                                 Accounting ofData Under the Privacy Act, OEI-09-11-00430\n\n\n                      Thank you for the opportunity to review and comment on the above mentioned OIG draft report.\n                      The Centers for Medicare & Medicaid Services (CMS) appreciates the contributions and\n                      valuable input by the OIG. The draft report assessed CMS' disclosure and accounting of data\n                      under the Privacy Act. The information in the report wiiJ help inform our administration of\n                      CMS' implementation of the Privacy Act.\n\n                      We are continuously working to improve our implementation of the Privacy Act and\n                      accountability for personally identifiable information (PII) disclosures from CMS' systems of\n                      records (SOR). The draft report contained five recommendations for CMS. We are addressing\n                      the recommendations in this response.\n\n                      OIG Recommendation\n\n                      CMS develop a process to ensure that the data requested are the ones disclosed to the entity.\n\n                      CMS Response\n\n                      We concur with this recommendation. CMS is currently in the process of replacing and\n                      upgrading the Data Agreement and Data Shipping Tracking System which CMS uses to track the\n                      disclosures of CMS PII. The replacement system, the Enterprise Privacy Policy Engine (EPPE),\n                      is designed to provide a 100% traceable record ofCMS' PII disclosures.\n\n                      OIG Recommendation\n\n                      CMS should ensure that the DUA and DUA-related documents are in a user agreement file.\n\n                      CMS Response\n\n                      We concur with this recommendation. CMS' EPPE system is designed to maintain a 100%\n                      automated filing of all DUA related documentation.\n\n\n\n\nDisclosure and Accounting of Protected Records by CMS Between 2006 and 2011 (OEI-09-11-00430)                                               21\n\x0cDisclosure and Accounting of Protected Records by CMS Between 2006 and 2011 (OEI-09-11-00430)   22\n\x0c                  ACKNOWLEDGMENTS\n                  This report was prepared under the direction of Timothy Brady, Regional\n                  Inspector General for Evaluation and Inspections in the San Francisco\n                  regional office, and Michael Henry, Deputy Regional Inspector General.\n                  Abby Lopez served as the project leader for this study. Other Office of\n                  Evaluation and Inspections staff from the San Francisco regional office\n                  who conducted the study include Camille Harper. Central office staff who\n                  provided support include Clarence Arnold, Kevin Manley,\n                  Christine Moritz, and Tasha Trusty.\n\n\n\n\nDisclosure and Accounting of Protected Records by CMS Between 2006 and 2011 (OEI-09-11-00430)   23\n\x0c                Office of Inspector General\n                                 http://oig.hhs.gov\n\nThe mission of the Office of Inspector General (OIG), as mandated by Public Law 95-452, as\namended, is to protect the integrity of the Department of Health and Human Services\n(HHS) programs, as well as the health and welfare of beneficiaries served by those\nprograms. This statutory mission is carried out through a nationwide network of audits,\ninvestigations, and inspections conducted by the following operating components:\n\nOffice of Audit Services\nThe Office of Audit Services (OAS) provides auditing services for HHS, either by conducting\naudits with its own audit resources or by overseeing audit work done by others. Audits\nexamine the performance of HHS programs and/or its grantees and contractors in carrying\nout their respective responsibilities and are intended to provide independent assessments of\nHHS programs and operations. These assessments help reduce waste, abuse, and\nmismanagement and promote economy and efficiency throughout HHS.\n\nOffice of Evaluation and Inspections\nThe Office of Evaluation and Inspections (OEI) conducts national evaluations to provide\nHHS, Congress, and the public with timely, useful, and reliable information on significant\nissues. These evaluations focus on preventing fraud, waste, or abuse and promoting\neconomy, efficiency, and effectiveness of departmental programs. To promote impact, OEI\nreports also present practical recommendations for improving program operations.\n\nOffice of Investigations\nThe Office of Investigations (OI) conducts criminal, civil, and administrative investigations\nof fraud and misconduct related to HHS programs, operations, and beneficiaries. With\ninvestigators working in all 50 States and the District of Columbia, OI utilizes its resources\nby actively coordinating with the Department of Justice and other Federal, State, and local\nlaw enforcement authorities. The investigative efforts of OI often lead to criminal\nconvictions, administrative sanctions, and/or civil monetary penalties.\n\nOffice of Counsel to the Inspector General\nThe Office of Counsel to the Inspector General (OCIG) provides general legal services to\nOIG, rendering advice and opinions on HHS programs and operations and providing all\nlegal support for OIG\xe2\x80\x99s internal operations. OCIG represents OIG in all civil and\nadministrative fraud and abuse cases involving HHS programs, including False Claims Act,\nprogram exclusion, and civil monetary penalty cases. In connection with these cases, OCIG\nalso negotiates and monitors corporate integrity agreements. OCIG renders advisory\nopinions, issues compliance program guidance, publishes fraud alerts, and provides other\nguidance to the health care industry concerning the anti-kickback statute and other OIG\nenforcement authorities.\n\x0c"